Security Headers Generator

Pick the headers you want, copy the exact config for your server. The fix-side companion to the headers checker.

Runs entirely in your browser — nothing is transmitted anywhere.

1 · Choose headers

2 · Pick your platform


    

How it works

The generator emits the same recommended values our checker grades as a pass: a one-year HSTS with includeSubDomains, a strict starter CSP with no unsafe-inline, nosniff, dual frame protection, a privacy-preserving referrer policy, and a lock-it-down Permissions-Policy. Everything is generated locally from fixed templates — scoring detail on the methodology page.

FAQ

Will these headers break my site?

Most are safe to add as-is: HSTS (if you're fully on HTTPS), nosniff, frame protection, and Referrer-Policy rarely break anything. CSP is the exception — the starter policy here blocks inline scripts and third-party sources, so test it in report-only mode first and extend it for what your site actually loads.

Why does the starter CSP not include unsafe-inline?

Because unsafe-inline defeats most of CSP's XSS protection — our own checker downgrades any policy that allows it. Move inline scripts to external files, or use nonces or hashes, instead of allowing everything inline.

Do I still need X-Frame-Options if CSP has frame-ancestors?

frame-ancestors supersedes X-Frame-Options in every modern browser, but keeping both costs nothing and covers legacy user agents — the generator emits both by default.